List networking information configured during Google Cloud Foundation Setup

Gogle Cloud Foundation Setup

A foundation setup in Google Cloud is essentially the base layer of your cloud environment. It's the core infrastructure that supports all your applications and workloads. Think of it as the foundation of a house - it needs to be strong, secure, and well-planned to support everything built on top of it.

During the Foundation setup, the relevant activities configured are:
Here's a breakdown of what it entails:

• Organizational Structure: How you organize your cloud resources using folders, projects, and the organization itself. This ensures proper resource management and access control.
• Identity and Access Management (IAM): Controlling who has access to what resources and what they can do with them. This is crucial for security and compliance.
• Networking: Setting up your Virtual Private Cloud (VPC) network, subnets, firewalls, and connectivity to on-premises or other cloud environments.
• Security: Implementing security measures like firewalls, organization policies, and data encryption to protect your data and applications.
• Automation: Automating tasks like resource provisioning, configuration management, and deployments to increase efficiency and reduce errors.

These steps could be performed using the console throught the Google Cloud setup service

Another option is to use terraform to deploy the environments, for that we can use several options like:

• Exporting terraform code from Google Cloud setup
• Using Google Cloud Fast Fabric terraform code.
• Creating your own code tailored to your needs

Networking in Foundation setup

One of the critical steps during the foundation setup is the networking section, here you will need to decide the network achitecture and other aspects like shared vpcs, connection to onprem, firewall rules, etc.

During foundation creation, the main activities on this phase are:

• Shared Virtual Private Cloud (VPC) networks
• Configure connectivity between the external provider and Google Cloud.
• [OPTIONAL] configure Dyrectory Sync
• Set up a path for external egress traffic (Cloud NAT or Public Access)
• Implement network security controls (Firewall rules)
• Choose an ingress traffic option (example Load Balancer)

Here's the importance of networking in your Google Cloud foundation setup in ten bullet points:

1. Connectivity: Enables communication between resources, on-premises networks, and the internet.
2. Security: Allows for firewalls, security tools, and network segmentation to protect resources.
3. Isolation: Creates boundaries between resources to limit the impact of security breaches.
4. Performance: Optimizes routing for fast and efficient data flow.
5. Scalability: Supports future growth and resource expansion.
6. Flexibility: Adapts to changing application needs and hybrid/multi-cloud environments.
7. Global Reach: Connects resources across different regions for low-latency access.
8. Efficiency: Streamlines traffic flow and reduces data transfer costs.
9. Control: Provides granular control over network traffic and access.
10. Automation: Enables automated network management for reduced operational overhead.

However there are times where you will not create the network from scratch because this was created by another person in a previous time or maybe the implementation documentation is not in place, for those cases the following list of commands could be very helpful:

List VPCs in a project

gcloud compute networks list --project=<projectName>

This command displays a list of all the Virtual Private Cloud (VPC) networks within a specific Google Cloud project.

You replace with the actual ID of your project to see its networks.

NOTE if you want to see the results in table format use
gcloud config set accessibility/screen_reader false

List VPCs in a project

gcloud compute networks subnets list --network=<vpcName>

This command lists all the subnets that belong to the VPC network. You would replace with the actual name of the VPC network you're interested in. This allows you to explore the subnet structure of different networks in your project.

List Firewall Rules associates with a VPC

Note FIrewall rules listing return too much information, in this case we are going to filter the data and only obtain information that appears in the following table:

gcloud compute firewall-rules list --format="table(
        name,
        network,
        direction,
        priority,
        sourceRanges.list():label=SRC_RANGES,
        destinationRanges.list():label=DEST_RANGES,
        allowed[].map().firewall_rule().list():label=ALLOW,
        denied[].map().firewall_rule().list():label=DENY,
        sourceTags.list():label=SRC_TAGS,
        sourceServiceAccounts.list():label=SRC_SVC_ACCT,
        targetTags.list():label=TARGET_TAGS,
        targetServiceAccounts.list():label=TARGET_SVC_ACCT,
        disabled
    )"

This command lists all firewall rules in your Google Cloud project and displays them in a table format with specific details. Let's break down what each part means:

• gcloud compute firewall-rules list: This is the basic command to list all firewall rules.
• --format="table(...)": This part specifies that the output should be displayed in a table format. Inside the parentheses, you define the columns you want to see.
• name: The name of the firewall rule.
• network: The network the rule applies to (e.g., "default" network).
• direction: Whether the rule applies to incoming traffic (INGRESS) or outgoing traffic (EGRESS).
• priority: The priority of the rule (lower numbers mean higher priority).
• sourceRanges.list():label=SRC_RANGES: The source IP address ranges that the rule applies to.
• destinationRanges.list():label=DEST_RANGES: The destination IP address ranges that the rule applies to.
• allowed[].map().firewall_rule().list():label=ALLOW: The allowed protocols and ports (e.g., tcp:80, udp:53).
• denied[].map().firewall_rule().list():label=DENY: The denied protocols and ports.
• sourceTags.list():label=SRC_TAGS: Source tags that the rule applies to (tags are labels on VMs).
• sourceServiceAccounts.list():label=SRC_SVC_ACCT : Source service accounts that the rule applies to.
• targetTags.list():label=TARGET_TAGS: Target tags that the rule applies to.
• targetServiceAccounts.list():label=TARGET_SVC_ACCT: Target service accounts that the rule applies to.
• disabled : Whether the rule is currently disabled (true or false).

Essentially, this command gives you a comprehensive overview of your firewall rules in a structured table, making it easier to understand your network security configuration.

List VPN Information

gcloud compute vpn-tunnels list --filter="region:( us-central1 europe-west1 )"

This command lists all VPN tunnels in your Google Cloud project that are located in either the us-central1 or europe-west1

gcloud beta compute vpn-tunnels describe <vpnTunnelName> --region <region>

This command provides detailed information about a specific VPN tunnel named in located in the region of your Google Cloud project. It uses the gcloud beta compute vpn-tunnels describe command, which fetches configuration details, status information, and other relevant data about the specified tunnel. This is useful for troubleshooting, monitoring, or simply getting a comprehensive view of a particular VPN tunnel's settings and operational state.

gcloud beta compute vpn-gateways describe <vpnGatewayName> --region <region>

The command retrieves detailed information about a specific VPN gateway in your Google Cloud project, including its configuration, status, and other relevant data. You need to replace with the actual name of your gateway and with its location (e.g., us-central1). This is useful for troubleshooting connection issues, monitoring the gateway's health, and verifying its configuration.

gcloud compute routers describe <vpc-router> --region <region>

This command retrieves detailed information about a Cloud Router in your Google Cloud project. You replace with the name of the router and with its Google Cloud region (e.g., us-central1). This provides insights into the router's configuration, BGP settings, interfaces, and operational status, which is useful for network management, troubleshooting connectivity issues, and verifying that the router is operating as expected.

SUMMARY With these commands you can generate tables with relevant information to know an specific environment or to put it into a delivery summary documentation, however this is way more easier if you use infrastructure as code to generate your infrastructure, that way your code is your own documentation.